update

progress-update.md

@@ -0,0 +1,115 @@
+# Project Progress Update
+
+Date: February 13, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## 1) Executive Summary
+
+The MVP platform is operational and running end-to-end in the lab environment.
+Core integrations are in place:
+- Detection: Wazuh
+- Automation: Shuffle
+- Case management: IRIS-web (replacing DFIRTrack)
+- Escalation (MVP): PagerDuty Stub
+- Orchestration/API layer: soc-integrator
+
+All major containers are currently up, and key health checks are passing.
+
+## 2) Completed Work
+
+### Platform orchestration and operations
+- Combined stack runner created and improved (`run-combined-stack.sh`)
+- Added command support for:
+  - `up`, `down`, `logs`, `status`, `help`
+  - per-target control (`wazuh`, `iris`, `shuffle`, `pagerduty`, `integrator`)
+- Added consolidated health/status script (`soc-status.sh`)
+
+### Integration architecture
+- Connected Wazuh, Shuffle, IRIS-web, PagerDuty Stub, and soc-integrator on shared network
+- Resolved startup conflicts and runtime issues (port, compose, routing compatibility)
+
+### SOC Integrator (MVP)
+- Added/validated integration APIs for:
+  - Wazuh
+  - Shuffle
+  - IRIS-web
+  - PagerDuty Stub
+- Implemented MVP orchestration endpoints:
+  - `POST /mvp/incidents/ingest`
+  - `POST /mvp/ioc/evaluate`
+  - `POST /mvp/vpn/evaluate`
+  - `GET /mvp/config/policies`
+  - `PUT /mvp/config/policies`
+  - `GET /mvp/health/dependencies`
+- Added internal API-key protection for mutation endpoints
+
+### Persistence layer
+- Added PostgreSQL service for soc-integrator (`soc-integrator-db`)
+- Added incident/policy/audit schema and startup initialization
+- Enabled deduplication and audit tracking for incident processing
+
+### Testing utilities and documentation
+- Added Wazuh test-event injection script:
+  - `scripts/send-wazuh-test-events.sh`
+- Added root project docs:
+  - `README.md`
+- Added root ignore rules:
+  - `.gitignore`
+
+## 3) Current Live Status (Lab)
+
+Current stack status: **UP**
+
+Healthy/available components:
+- Wazuh manager, indexer, dashboard
+- IRIS-web app/nginx/worker/db/rabbitmq
+- Shuffle backend/frontend/opensearch/orborus
+- PagerDuty Stub
+- soc-integrator + soc-integrator-db
+
+Endpoint checks:
+- Wazuh Dashboard: OK
+- Wazuh API: OK (auth-protected, expected 401 on unauthenticated root)
+- IRIS Web: OK
+- Shuffle Frontend: OK
+- Shuffle Backend: reachable
+- Shuffle OpenSearch: reachable (auth-protected)
+- PagerDuty Stub: OK
+- soc-integrator `/health`: OK
+
+## 4) In Progress / Remaining for Customer UAT
+
+1. Detection content tuning
+- Fine-tune Wazuh rules/decoders for customer log patterns and false-positive reduction
+
+2. Use-case calibration
+- Validate risk/severity mapping per approved use cases
+- Tune exception list and threshold logic (especially VPN geo anomaly)
+
+3. UAT evidence package
+- Capture deterministic UAT scenarios and outputs for:
+  - IOC flow
+  - VPN outside-TH flow
+  - IRIS case creation/update
+  - PagerDuty Stub escalation path
+
+4. Production hardening items
+- Rotate default/local secrets used in lab config
+- Lock down internal API keys and access boundaries
+
+## 5) Risks / Notes
+
+- Current escalation target is **PagerDuty Stub** by design for MVP.
+  Real PagerDuty production integration is the next stage.
+- Some Wazuh config certificate directories are root-owned in the local lab clone, which may affect local git add operations if not excluded/fixed.
+
+## 6) Next Milestone (Proposed)
+
+Next milestone: **MVP UAT Completion**
+
+Target outputs:
+- Approved UAT checklist execution
+- Tuned policy thresholds for customer environment
+- Signed-off incident lifecycle flow:
+  Wazuh event -> soc-integrator decision -> IRIS case -> PagerDuty Stub escalation
+